The security industry now functions in a new world-one where companies who release networked products and systems that are not ready for safe deployment will find that their customers quickly become aware of it. Here is a question I received from a security practitioner who approached his IT department about putting security systems onto the corporate network, to achieve a number of important benefits.
Q: I told IT that I wanted to put two of our security systems onto the corporate network. They asked me for vendor names, software and firmware version numbers and release notes, and vulnerability disclosures. What is a vulnerability disclosure, and why are they asking for it?
A: Vulnerability disclosure is (a) the practice of publishing information (disclosures) about a computer security problem, and (b) a type of policy that specifies guidelines for doing so. Disclosure may be published by the person or organization that discovers the vulnerability, or by a responsible body such as the Computer Emergency Response Team (CERT). Sometimes the vendor is alerted prior to disclosure, and is allowed a certain amount of time to fix the problem before the vulnerability information is published. CERT's Vulnerability Disclosure Policy can be read here: www.cert.org/kb/vul_disclosure.html.
IT folks ask for vulnerability disclosures because they are responsible for seeing that all systems and devices are deployed in a secure manner on their network. They need information to do this. In the absence of such information a researcher may be tasked with collecting information and identifying vulnerabilities, including by examining the products or systems directly. Direct examinations are becoming more commonplace.
Video System Attack
Last year at the DEFCON conference, which describes itself as "The Hacker Community's Foremost Social Network", a network research firm (people who do network penetration testing for a living) hacked a brand name system and fed back copied video into its video display and recording stream. They picked up an object off a table, but the video system showed the object as still being there. This type of attack is called a "replay attack" where data recorded earlier is played back later and fed into the system.
A sophisticated version of this attack would involve injecting captured video data of the object removal several hours later in time from when it actually occurred. The system's time-stamped video would then provide "evidence" of the object's removal at a time when the attackers were several "hours away" establishing a solid alibi. The recorded video would be properly watermarked by video management software, thus falsely "authenticating" the fact that the attackers "couldn't have done it".
You can download the 50-minute video of their presentation (170 MB file) from the DEFCON home page (www.defcon.org), under the heading "Advancing Video Application Attacks with Video Interception, Recording, and Replay" (about 2/3 of the way down the page as this column was written). They show the demonstration, the model of Cisco camera, and the technical points of how this was done. (Note that the network research firm stated that prior to the conference, they provided a proposed solution to Cisco and were working with them on the technical details.)
Access Control System Attack
Last month at CarolinaCon, an annual hacker's conference in North Carolina, security researcher Shawn Merdinger presented his successful attack on a name-brand networked access control system. He commented in the presentation, "The problem is that they [facilities and physical security] have this convergence ... and they are slapping this stuff onto your network. So you need to be aware of what's going on." Not only does he demonstrate how easy it was to hack the access control system, he puts the company's marketing statements up on the screen about how safe it is to connect the system to the Internet. He then demonstrates an Internet search that locates many such systems on the Internet which are wide open to the type of hack he demonstrates. Like any good security researcher, Shawn reported the vulnerabilities to CERT/CC and worked with them to follow responsible disclosure practices. He also outlined steps to mitigate their impact. You can download the 57-minute video of his presentation from this link: www.mefeedia.com/watch/30048963. Slides from the talk are here: http://tinyurl.com/no-stinking-badges
The New World
In the IT world, vulnerabilities are hunted and found as a matter of normal daily business by network research firms whose role it is to find vulnerabilities so that they can be fixed. They also perform penetration testing for their customers, who require verification that their own systems are being maintained at an acceptable level of security.
From now on, it will be the rule rather than the exception that hacker conferences will include one or more sessions on how to hack physical security systems-just like they contain sessions about hacking telephones, web servers, information systems, and so on.
Whether you are a manufacturer, a consultant, a systems integrator or an end-user customer-it is now critical that you begin paying attention to the vulnerabilities of the products and systems you provide or depend upon.
Q: How did Shawn Merdinger come to investigate the particular access control system?
A: His company was thinking of purchasing one. He was simply doing his job as an IT professional-ensuring that his company would not put itself at risk by installing a vulnerable product or system.
In a recent discussion with a product manager and a sales manager from one security industry manufacturing company, the product manager stated that he didn't think this kind of IT evaluation was very common. "None of our customers have mentioned this to us," he said. "You may be making more out of this than the situation warrants." I explained that in 100% of my global company clients the IT department evaluates all systems and devices that will connect to the network, including physical security systems and devices. I also informed him that I doubted his products would pass such an evaluation, because (a) the user manual shipped didn't fully match the product; (b) there was no installation guide (the company expected all installations to be performed by factory-trained installers); (c) the software user interface didn't follow the Microsoft Windows user interface guidelines (a significant defect in a 3-year old product); and (d) the online help was incomplete and inconsistent from window to window in the application. (Unfortunately these shortcomings are common to many industry products.)
I doubted that any of this company's customers performed IT evaluations, or they would not be customers! They would have selected a more qualified product from an IT perspective. However, even in those cases where IT is not involved in product evaluation, successfully selling a less-qualified product can reduce customer status (the status of the security manager in IT's eyes) when IT finds a product on the network that doesn't meet IT's standards, or isn't developed to professional standards.
Defensive attitudes on the part of manufacturers astound me-because that is backwards thinking. Who wouldn't want to have software that is very easy to use because it follows Microsoft Windows conventions? (I know there are Windows vs. Mac arguments on usability, so don't miss my point. Regardless of the operating system, the software should have very high usability for first time users.) Who wouldn't want to have a product that IT departments embrace because it is professionally developed and packaged, and can be easily evaluated? Who wouldn't want their security practitioner customers to impress IT by having selected a top-notch product?
Furthermore, what IT department wouldn't be pleased to have a "hardening guide" booklet or chapter in the product or system installation instructional material? Since there are no clear leaders in this area, any company with a sound product could take a leading position.
Right now, security practitioners can't go wrong assuming that all physical security systems are vulnerable as shipped from the factory. I was about to write that I know of no commercial off-the-shelf system that ships with specific instructions for secure network deployment or system hardening. Then I learned from my network research colleague Rodney Thayer that Firetide (www.firetide.com) did include hardening information in one of its installation documents-but buried in the midst of other things as opposed to highlighted front-and-center, as the industry needs.
The good news is that this picture is starting to change and Security Technology Executive is dedicated to reporting those changes and improvements to you. If you have convergence experience you want to share, e-mail your comments to me at ConvergenceQA@go-rbcs.com or call me at 949-831-6788. If you have a question you would like answered, I'd like to see it. We don't need to reveal your name or company name in the column. I look forward to hearing from you!
Ray Bernard, PSP, CHS-III is the principal consultant for Ray Bernard Consulting Services (RBCS), a firm that provides security consulting services for public and private facilities. Mr. Bernard has also provided pivotal strategic and technical advice in the security and building automation industries for more than 23 years. He is founder and publisher of The Security Minute 60-second newsletter (www.TheSecurityMinute.com). For more information about Ray Bernard and RBCS go to www.go-rbcs.com or call 949-831-6788. Mr. Bernard is also a member of the Subject Matter Expert Faculty of the Security Executive Council (www.SecurityExecutiveCouncil.com).